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Abstract. An infinite run of a timed automaton is Zeno if it spans only 
a finite amount of time. Such runs are considered unfeasible and hence 
it is important to detect them, or dually, find runs that are non-Zeno. 
Over the years important improvements have been obtained in checking 
reachability properties for timed automata. We show that some of these 
very efficient optimizations make testing for Zeno runs costly. In partic- 
ular we show NP-completeness for the LU-extrapolation of Behrmann et 
al. We analyze the source of this complexity in detail and give general 
conditions on extrapolation operators that guarantee a (low) polynomial 
complexity of Zenoness checking. We propose a slight weakening of the 
LU-extrapolation that satisfies these conditions. 



1 Introduction 

Timed automata [1] are finite automata augmented with a finite number of 
clocks. The values of the clocks increase synchronously along with time in the 
states of the automaton and these values can be compared to a constant and 
reset to zero while crossing a transition. This model has been successfully used 
for verification of timed systems thanks to a number of tools [3, 6, 14]. 

Since timed automata model reactive systems that continuously interact with 
the environment, it is interesting to consider questions related to their infinite 
executions. An execution is said to be Zeno if an infinite number of events 
happen in a finite time interval. Such executions are clearly unfeasible. During 
verification, the aim is to detect if there exists a non-Zeno execution that violates 
a certain property. On the other hand while implementing timed automata, it is 
required to check the presence of pathological Zeno executions. This brings the 
motivation to analyze an automaton for the presence of such executions. 

The analysis of timed automata faces the challenge of handling its uncount- 
ably many configurations. To tackle this problem, one considers a finite graph 
called the abstract zone graph (also known as simulation graph) of the automa- 
ton. This finite graph captures the semantics of the automaton. In this paper, 
we consider the problems of deciding if an automaton has a non-Zeno execution, 
dually a Zeno execution, given its abstract zone graph as input. 

An abstract zone graph is obtained by over-approximating each zone of the 
so-called zone graph with an abstraction function. The zone graph in principle 
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could be infinite and an abstraction function is necessary for reducing it to a 
finite graph. The; coarser the abstraction, the smaller the abstract zone graph, 
and hence the quicker the analysis of the automaton. This has motivated a lot of 
research towards finding coarser abstraction functions [2] . The classic maximum- 
bound abstraction uses as a parameter the maximal constant a clock gets com- 
pared to in a transition. A coarser abstraction called the LU-extrapolation was 
introduced in Behrmann et al. [2] for checking state reachability in timed au- 
tomata. This is the coarsest among all the implemented approximations and is 
at present efficiently used in tools like UPPAAL. 

It was shown in [12, 13] that even infinite executions of the automaton di- 
rectly correspond to infinite paths in the; abstract zone graph when one uses 
the maximum-bound approximation. In addition, it was proved that the exis- 
tence of a non-Zeno infinite execution could be determined by adding an extra 
clock to the automaton to keep track of time and analyzing the abstract zone 
graph of this transformed automaton. A similar correspondence was established 
in the case of the LU-extrapolation by Li [11]. These results answer our question 
about deciding non-Zeno infinite executions of the automaton from its abstract 
zone graph. However, it was shown in [9, 10] that adding a clock has an ex- 
ponential worst case complexity. A new polynomial construction was proposed 
for the case of the classic maximum-bound approximation. But, the case of the 
LU-extrapolation was not addressed. 

In this paper, we prove that the non-Zenoness question turns out to be NP- 
complcto for the LU-cxtrapolation, that is, given the abstract zone graph over the 
LU-extrapolation, deciding if the automaton has a non-Zeno execution is NP- 
complete. We study the source of this complexity in detail and give conditions 
on abstraction operators to ensure a polynomial complexity. To this regard, 
we extend the polynomial construction given in [9] to an arbitrary abstraction 
function and analyze when it stays polynomial. It then follows that a slight 
weakening of the LU-extrapolation makes the construction polynomial. In the 
second part of the paper, we repeat the same for the dual question: given an 
automaton's abstract zone graph, decide if it has Zeno executions. Yet again, we 
notice NP-completeness for the LU-extrapolation. We introduce an algorithm for 
checking Zenoness over an abstract zone graph with conditions on the abstraction 
operator to ensure a polynomial complexity. We provide a difi'erent weakening 
of LU-extrapolation that gives a polynomial solution to the Zenoness question. 

Related work As mentioned above, the LU-extrapolation was proposed in [2] and 
shown how it could be efficiently used in UPPAAL for the purpose of reachability. 
The correctness of the classic maximum-bound abstraction was shown in [4]. 
Extensions of these results to infinite executions occur in [13,11]. The trick 
involving adding an extra clock for non-Zenoness is discussed in [9]. For the case 
of checking existence of Zeno runs in timed automata, a bulk of the literature 
directs to [8, 5]. They provide a sufficient-only condition for the absence of Zeno 
runs. This is different from our proposed solution which gives a complete solution 
(necessary and sufficient conditions) by analyzing the abstract zone graph of the 
automaton. 
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Organization of the paper We start with the formal definitions of timed au- 
tomata, abstract zone graphs, the Zenoness and Non-Zenoness problems in Sec- 
tion 2. Subsequently, we prove the NP-completeness of the non-Zenoness prob- 
lem for the LU-extrapolation in Section 3. We then recall the construction pro- 
posed for non-Zenoness in [9] and extend it to a general abstraction opera- 
tor giving conditions for polynomial complexity. Section 5 talks about the dual 
Zenoness problem and Section 6 concludes the paper with some perspectives. 

2 Zeno-related Problems for Timed Automata 

2.1 Timed Automata 

Let M>o denote the set of non-negative real numbers. Let X be a set of variables, 
named clocks hereafter. A valuation is a function v : X ]R>o that maps every 
clock in X to a non-negative real value. Wc denote the set of all valuations by 
IR>Q, and the valuation that maps every clock in X to 0. For S G R>o, we 
denote v + S the valuation mapping each x G X to the value i'{x) + S. For a 
subset R oi X, let [R]iy be the valuation that sets x to ii x E R and assigns 
u{x) otherwise. A clock constraint is a conjunction of constraints x^c for x G X, 
# e {<, <, =, >, >} and c e N, e.g. We denote ^{X) the set of clock constraints 
over clock variables X . For a valuation v and a constraint (f) we write u \= (f) when 
v satisfies 4>, that is, when </> holds after replacing every x by ^{x). 

A Timed Automaton (TA) [1] ^ is a finite automaton extended with clocks 
that enable or disable transitions. Formally, ^ is a tuple {Q,qQ, X,T) where Q 
is a finite set of states, qo € Q is the initial state, X is a finite set of clocks 
and T C Q X ^{X) x 2"'^ x Q is a finite set of transitions. For each transition 
(g, g, R, q') £ T, g is a guard that defines the valuations of the clocks that allow 
to cross the transition, and i? is a set of clocks that are reset on the transition. 

A configuration of .4, is a pair {q, i/) G Qx M>p. A transition {q, v) (g', v') 
with t = {q, g, R, q') G T and S S R>o is enabled when i/ + S \= g and = [R]{v + 
S) . A run p of ^ is a (finite or infinite) sequence of transitions starting from the 

initial configuration [qo, 0): {qo, 0) '^°'*°> {qi, Vx) — Li-Li. . . . (g^^ '^"*') • • • 

Definition 1 (Zeno/non-Zeno runs). A run (qo, 0) '^°'*"> . . . {qi, Vi) '^"*'> . . . 
is non-Zeno if time diverges, that is, X]j>o <5i = oo. Otherwise it is Zeno. 

Notice that only infinite sequences can be non-Zeno. As can be seen, the num- 
ber of configurations (q, v) could be uncountable. We now define the abstract 
semantics for timed automata. 

2.2 Symbolic Semantics, Zenoness and non-Zenoness Problems 

A zone is a set of clock valuations that satisfy a conjunction of constraints of the 
form Xi#c and Xj — a;j#c with Xj, Xj € X, # G {<, <, =, >, >} and c G N. For 
instance, {xi < lf\xi—X2 > 0) is a zone. Zones can be efficiently represented by 
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Difference Bound Matrices (DBMs) [7] . A DBM representation of a zone Z is a 
|X| + 1 square matrix {Zij)ijQ[o-\x\] where each entry Zij = {ci,j, =4ij) represents 
the constraint Xi — xj Cij for € Z U {oo} and =4ij£ {<, <}. The special 
clock xo encodes the value 0. 

The symbolic semantics (or zone graph) of ,4 is the transition system ZG{A) = 
{S, So, =>) where S is the set of nodes {q, Z) with q a state of A and Z a zone; 
So = {qo, Zq) with Zq = {0 + S\S G M>o} as the initial node. There exists a 
transition {q, Z) =l> {q' , Z') with t = {q, g, R, q') &T li Z' is the set of valuations 
[IV\v + 5 for some 5 G R>o and some valuation v d Z such that v \= g. If Z is a 
zone, then Z' is a zone. Moreover, a DBM representation of Z' can be computed 
from the DBM representation of Z (see for instance [4]). 

However ZG{A) may still be infinite. Several abstractions have been intro- 
duced to obtain a finite graph from ZG{A). A finite abstraction a is a map 
from 'P(M^o) to 'P(R>o) such that for every zone Z: a{Z) is a zone, Z C a{Z), 
a{a{Z)) = a{Z) and a has a finite range. In particular ExtraM [4], Extra^, 
Extra/,;/ and Extra [2] are well-known finite abstractions. The last two abstrac- 
tions are usually preferred as they are coarser and hence lead to more efficient 
algorithms. Wc define these abstractions below. 

Let L : X I-)- N U {-oo} and U : X [J {-oo} be two maps that 

associate to each clock in A its maximal lower bound and its maximal upper 
bound respectively: that is, for every x G X, L{x) is the maximal integer c such 
that x> cov x>c appears in some guard of A. We let L{x) = — oo if no such c 
exists. Similarly, we define U {x) with respect to clock constraints like x <c and 
a; < c. We define Extr3.Lu{Z) = Z^^ and Extra ^^(Z) = Z^^+ as: 



(oo, <) if dj > L{xi) 

i-U(xj),<) if - dj > U(xj) 
Zij otherwise 



■(oo, <) if Cij > L(xi) 

(oo, <) if — coi > L{xi) 

(oo,<) if - coj > C/(x3),i 7^ 

{-U{xj), <) if - coj > U{xj),i = 

Zij otherwise 



where L{xo) = U{xo) = for the special clock xq- The abstraction ExtraM 
is defined in a similar way than Extra^/j by replacing every occurrence of L and 
U hy M which maps every clock x to max(L(a;), U{x)). The following property 
is later used to extend our results for Extrai^/ to Extra J^^. 

Theorem 1 ([2]). For each zone Z, we have: Z C ExtraM (-^) C Extra^(Z); 
Z C Extrai,i7(-^) C Extratu{Z) and Extra^(.^) C Extra 

For two nodes (q, Z) and {q' , Z'\ we define the relation (g, Z) 4>|j (g', Z') if 
{(l,Z) 4 {(i,Z") in ZG{A), Z = a(Z) and Z' = a{Z"). The abstract symbolic 
semantics (or the abstract zone graph) of A is the transition system ZG°{A) 
induced by with the intial node (go, ci(^o))- where (go, Zq) is the initial node 
of ZG{A). We denote by ZG^^{A) the abstract symbolic semantics when ab- 
straction Extract/ is considered, and ZG^ (A) when the abstraction a is ExtraM- 

A path in ZG'^{A) is a (finite or infinite) sequence of transitions: 

{qo, Zq) ha {qi, Zi) 4a ■ • • {Qz, Zi) 4a • ■ • 
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We say that a run (go, 0) '^°''°> . . . (q,, i^j) '^"''> ... of ^ is an instance of a 
path TT of ZG'^{A) if they agree on the sequence of transitions to,ti, . . . , and if 
for every i > 0, {qi,Vi) and (g^, Z^) coincide on 5^, and G Z^. By definition of 
Zi this implies Vi + 5i S Zj. We say that an abstraction a is sound if every path 
TT can be instantiated as a run of A. Conversely, a is complete when every run 
of A is an instance of some path in ZG'^{A). 

A classical verification problem for Timed Automata is to answer state reach- 
ability queries. For that purpose, runs of A and paths in ZG'^{A) are defined 
as finite sequences of transitions. A reachability query asks for the existence of 
a finite run leading to a given state. Reachability problems can be solved using 
ZG'^{A) when a is sound and complete and this property holds for the classical 
abstractions. 

Theorem 2 ([4, 2]). Extrajvf, Extra^, ExtraLu and Extra are sound and com- 
plete for finite sequences of transitions. 

Liveness properties ask for the existence of an infinite run satisfying a given 
property. For instance, does A visit state q infinitely often? Soundness and com- 
pleteness of a with respect to infinite runs allow to solve such problems from 
ZG°-{A). Recently, it has also been proved that classical abstractions are also 
sound and complete for infinite paths/runs. 

Theorem 3 ([12,11]). Extrajw, Extra^, Extra^j/ and Extrajjj are sound and 
complete for infinite sequences of transitions. 

Thanks to Theorem 3, we know that every path tt in ZG'^{A) can be instan- 
tiated to a run of A. However, soundness is not sufficient to know if tt can be 
instantiated as a non-Zeno run. In the sequel, we consider the following prob- 
lems, given an automaton A and an abstract zone graph ZG'^{A). 

Input A and ZCiA) 

Non-Zenoness problem (NZP°) Does A have a non-Zeno run? 
Zenoness problem (ZP") Does A have a Zeno run? 



Observe that solving ZP" does not solve NZP" and vice-versa: one is not the 
negation of the other. In this paper, we focus on the complexity of deciding ZP" 
and NZP" for different abstractions a. We denote NZP*^ and ZP*'^ when abstrac- 
tion Extrajvf is considered. We similarly define NZP^^ and ZP^^ for abstraction 
Extrai,!/. The non-Zenoness problem is solved in polynomial time when abstrac- 
tion Extra Af is considered [9,10]. Surprisingly, this is not true for abstraction 
ExtraLf/: in Section 3 we show that NZP^^ is NP-complete. The same asymme- 
try appears in the Zenoness problem as well, which is shown in Section 5. 
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Fig. 1. A^^ for 4>={piV V ps) A (-.pi V p2 V ps) 



3 Non-Zenoness is NP-complete for ExtraLu 

We give a reduction from the 3SAT problem: given a 3CNF formula (j), we build 
an automaton A-^^ that has a non-Zeno run iff (p is satisfiable. The size of the 
automaton will be linear in the size of cj). We will then show that the abstract 
zone graph ZG^^ {A^^) is isomorphic to the automaton A^^ , thus completing 
the polynomial reduction from 3SAT to NZP''^'^. 

Let P = {pi, . . . be a set of propositional variables and let (f) = C\ A 
■ ■ ■ A Cn be a 3CNF formula with n clauses. Wc define the timed automaton 
A^^ as follows. Its set of clocks X equals {xi, . . . , Xk,'xi, . . . ,'Xk}. For a literal 
A, let d(A) denote the clock Xi when X = Pi and the clock xl when A = -^Pi. The 
set of states of A'^^ is {go, ■ ■ ■ ^Iki'TQ, ■ ■ ■ , where go is the initial state. The 
transitions arc as follows: 

— for each pi wc have transitions qi^i — ^ qi and qi-i — ^ qi^ 

— for each clause Cm = A™ V A™ V A™, m = 1, . . . , n, there are three transitions 

Tm-i "'^^^^-°) Tm where A- G {Ar, A^,A^}, 

— transitions qu ro and r„ — >■ go with no guards and resets. 

Figure 1 shows the automaton for the formula {pi V^p2 Vps) A (-ipi Vp2 Vps). 
Intuitively, a reset of Xi represents pi n> true and a reset of means pi n> false. 
From ro to r2 we check if the formula is satisfied by this guessed assignment. This 
formula is satisfied by every assignment that maps ps to true. This can be seen 

from the automaton by picking a cycle containing the transitions g2 > gs, 

^"0 ^^~°> ri and ri °'^~'^> r2. On that path, time can elapse for instance in 
state go, since Xs is reset before being zero-checked. Conversely, consider the 
assignment pi false, p2 true and ps false that does not satisfy the 
formula. Take a cycle that resets IFi, X2 and 3^ corresponding to the assignment. 
Then none of the clocks that are checked for zero on the transitions from ro to 
n has been reset. Notice that these transitions come from the first clause in the 
formula that evaluates to false according to the assignment. To take a transition 
from ro, one of a;i, X2 and 0:3 must be zero and hence time cannot elapse. 

Lemma 1 below states that if the formula is satisfiable, there exists a sequence 
of resets that allows time elapse in every loop. Conversely, if the formula is 
unsatisfiable, in every iteration of the loop, there is a zero-check that prevents 
time from elapsing. The proof of Lemma 1 is given in Appendix A. 
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Lemma 1. A 3 CNF formula (j) is satisfiable iff A^^ has a non-Zeno run. 

The NP-hardness of NZP^^ then follows due to the small size of ZG^^{A^^). 

Theorem 4. The abstract zone graph ZG^^ {A^^) is isomorphic to A^^ ■ The 
non-Zenoness problem is NP -complete for abstractions Extract/ and Extra Jjj. 

Proof. We first prove that ZG'"^ (A^^) is isomorphic to A^^ . For every clock 
X, L(x) = — oo, hence Extra n/ abstracts all the constraints Xi — Xj Cij to 
Xi—Xj < oo except those of the form xo—Xi =4oi coi that are kept unchanged. Due 
to the guards in A^^ , for every reachable zone in ZG{A^^) we have XQ — Xi < 
(i.e. Xi > 0). Therefore ExtraLu{Z) is the zone defined by A^ex — ^ which 
is R>o. For each state of A^^ , the zone IR>o the only reachable zone in 
ZG^^-' (A^^), hence showing the isomorphism. The result transfers to Extra 
thanks to Theorem 1. 

The NP-hardness of NZP^*^ then follows from Lemma 1. The membership 
to NP will be proved in Lemma 3 in the next section. □ 

Notice that the type of zero checks in A^^ is crucial to Theorem 4. Replacing 

zero-checks of the form x < by x = does not modify the semantics of A^^ . 
However, this yields L{x) = for every clock x. Hence, the constraints of the 
form Xi — Xj < are not abstracted: Extra lu then preserves the ordering among 
the clocks. Each sequence of clock resets leading from go to qk yields a distinct 
ordering on the clocks. Thus, there are exponentially many LU-abstracted zones 
with state qk- As a consequence, the polynomial reduction from 3SAT is lost. 
We indeed provide in Section 4 below an algorithm for detecting non-Zeno runs 
from ZG^^ {A) that runs in polynomial time when L(x) = for every clock x. 



4 Finding non-Zeno runs 

Recall the non-Zenoness problem (NZP"): 

Given an automaton A and its abstract zone graph ZG'^{A), decide if 
A has a non-Zeno run. 

A standard solution to this problem involves adding one auxiliary clock to A 
to detect non-Zenoness [12]. This solution was shown to cause an exponential 
blowup in [9]. In the same paper, a polynomial method has been proposed in 
the case of the Extrajvf abstraction. We extend this method to an arbitrary 
abstraction o and give conditions on o for the method to remain polynomial. 

An infinite run of the timed automaton could be Zcno due to two factors: 
blocking clocks, which are clocks that are bounded from above (i.e. x < c for 
some c > 0) but are never reset in the run and zero checks, which are guards 
of the form x < or .t = that prevent time elapse in the run. The method 
in [9] tackles these two problems as follows. Blocking clocks are handled by first 
detecting a maximal strongly connected component (SCC) of the zone graph 
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and repeatedly discarding the transitions that bound some blocking clock until 
a non-trivial SCC with no such clocks is obtained. This algorithm runs in time 
polynomial for every abstraction that is sound and complete. For zero checks, 
a guessing zone graph construction has been introduced to detect nodes where 
time can elapse. We now extend this construction to an arbitrary abstraction. 

4.1 Reduced guessing zone graph rGZG^{A) 

The necessary and sufficient condition for time elapse in a node despite zero- 
checks is to have every reachable zero-check from that node preceded by a corre- 
sponding reset. The nodes of the guessing zone graph are triples [q, Y) where 
y C X is the set of clocks that can potentially be checked for zero before being 
reset in a path from {q, Z,Y). In particular, in a node with y = zero-checks 
do not hinder time elapse. 

A clock that is never checked for zero need not be remembered in sets Y . In 
order to lift the construction in [9], we restrict Y sets to only contain clocks that 
can indeed be checked for zero. We say that a clock x is relevant if there exists a 
guard a; < or a; = in the automaton. We denote the set of relevant clocks by 
R1(.A). For a zone Z, let Co{Z) denote the set of clocks x such that there exists 
a valuation v ^ Z with v{x) = 0. The clocks that can be checked for zero from 
{q,Z) lie in Rl(^) nCo(^). 

Definition 2. Let A he a, timed automaton with clocks X . The reduced guessing 
zone graph rGZG^{A) has nodes of the form (q, Z,Y) inhere (q, Z) is a node in 
ZG^{A) andY C Rl(^)nCo(^). The initial node is {qo, Zo,^l{A)), with {qo,Zo) 
the initial node of ZG°{A). Fort= {q,g,R,q'), there is a transition {q,Z,Y) 

{q', Z', Y') with Y' = {Y U R) D Rl{A) n Co(Z') if there is {q, Z) 4„ {q' , Z') in 
ZG'^{A) and some valuation v ^ Z such that v N (Rl(yl.) — y) > and i/ \= g. A 
new auxiliary letter t is introduced that adds transitions {q,Z,Y) iQ,Z,Y') 
for Y' = <!) orY' = Y. 

Observe that as we require ly N (Rl(^) — Y)>0 and u \= g fov some v G Z, 
a transition that checks a: < (or a; = 0) is allowed from a node (g, Z, Y) 
only if a; e y. Thus, from a node {q,Z,%) every reachable zero-check should 
be preceded by the corresponding reset. Such a node is called clear. Time can 
elapse in clear nodes. A variable x is hounded in a transition of rGZG'^ if the 
guard of the transition implies a: < c for some constant c. A path of rGZG"- is 
said to be blocked if there is a variable that is bounded infinitely often and reset 
only finitely often by the transitions on the path. Otherwise the path is called 
unblocked. An unblocked path says that there are no blocking clocks to bound 
time and clear nodes suggest that inspite of zero-checks that might possibly 
occur in the future, time can still elapse. We get the following theorem. 

Theorem 5. A timed automaton A has a non-Zeno run iff there exists an un- 
blocked path in rGZG° (A) visiting a clear node infinitely often. 

The proof of Theorem 5 follows from Lemmas 11 and 12 in Appendix B. The 
proof is in the same lines as for the guessing zone graph in [9]. 
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4.2 Polynomial algorithms for NZP" 

Since we have a node in rGZG'^{A) for every {q, Z) in ZG°-{A) and every subset 
Y of Rl(.4), it can in principle be exponentially bigger than ZG'^{A). Below, we 
see that depending on abstraction a, not all subsets Y need to be considered. 

Let X' be a subset of X. We say that a zone Z orders the clocks in X' if for 
all clocks x,y £ X' , Z implies that at least one of a; < ?/ or y < a; hold. 

Definition 3 (Weakly order- preserving abstractions). An abstraction a 
weakly preserves orders if for all clocks x,y £ R1(.A) fl Co{Z), Z \= x < y iff 

a{Z) N X < y. 

It has been observed in [9] tliat all the zones that arc reachable in the un- 
abstracted zone graph ZG{A) order the entire set of clocks X. Assume that a 
weakly preserves orders, then for every reachable node {q,Z,Y) in rGZG°{A), 
the zone Z orders the clocks in Rl(^) r\Co{Z). We now show that Y is downward 
closed with respect to this order given by Z: for clocks x,y £ Rl(^) r\Co{Z), if 
Z \= X < y and y € Y, then x G Y. This entails that there are at most Rl(.4) 
downward closed sets to consider, thus giving a polynomial complexity. 

Theorem 6. Let A be a timed automaton. If a lueakly preserves orders, then 
the reachable part of rGZG^{A) is 0{ \ Ii\{A)\) bigger than the reachable part of 
ZG''iA). 

Proof. We prove by induction on the transitions in rGZG'^{A) that for every 
reachable node {q, Z, Y) the set Y is downward closed with respect to Z on the 
clocks in Rl(^) n Co{Z). This is true for the initial node (go, Zq, R1(.A)). 

Now, assume that this is true for (q,Z,Y). Take a transition {q,Z,Y) 4>a 
(g', Z', Y') with t = {q, g, R, q'). By definition, Y' = {Y U R) D R1(.A) n Co{Z'). 
Suppose Z' \= X < y ioi some x,y € Rl(^) fl Cq{Z') and suppose y £ Y' . This 
could mean y G Y oi y G R. If y € R, then x is also in R since Z' N x < y. If 
y ^ R then we get y & Y and Z \= x < y. By hypothesis that Y is downward 
closed, X GY.ln both cases x gY'. □ 

The definition of ExtraM in section 2.2 clearly shows that it weakly preserves 
orders. Hence, rGZG^ {A) yields a polynomial algorithm for NZP^^. Notice that 
thanks to the reduction of the guessing zone graph to the relevant clocks, we 
propose an algorithm that is more efficient than the algorithm in [9] despite 
using the same abstraction. 

Lemma 2. The abstractions ExtraM; Extra^ weakly preserve orders. 

Proof. It has been proved in [9] that Extra m weakly preserves orders. Note that 
for a clock x in ^\{A) we have M{x) > and so if a; € Rl(^) n Co{Z), then it 
means that Z is consistent with x < M{x). Therefore, by definition, Extra 
restricted to clocks in Rl(^) nCo(^) is identical to ExtraM(-Z^) restricted to the 
same set of clocks. Since ExtraM is weakly order preserving, we get that Extra^ 
is weakly order preserving too. □ 
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However, the polynomial complexity is not preserved by coarser abstractions 
Extra i:,;/ and Extra 

Lemma 3. The abstractions Extraic/ and Extra do not weakly preserve or- 
ders. The non-Zenoness problem is in NP for Extra i,;/ and Extra J^j. 

Proof. The proof of Theorem 4 gives an example that illustrates Extrai,;/ does 
not weakly preserve orders. This also holds for Extrajj^ by Theorem 1. 

For the NP membership, let N be the number of nodes in ZG^^{A). Let us 
non-deterministically choose a node (g, Z). We assume that (g, Z) is reachable 
as this can be checked in polynomial time on ZG^^ (A). 

We augment (g, Z) with an empty guess set of clocks. From {q, Z, 0), we non- 
deterministically simulate a path n of the (non-reduced) guessing zone graph [9] 
obtained from Definition 2 with Rl(^) = X and Co{Z) = X for every zone Z. 
We avoid taking r transitions on this path. This ensures that the the guess sets 
accumulate all the resets on tt. During the simulation, we also keep track of 
a separate set U containing all the clocks that are bounded from above on a 
transition in tt. 

If during the simulation one reaches a node {q, Z, Y) such that U CY, then 
we have a cycle {q,Z,$) ^* {q,Z,Y) {1,^,(11) that is unblocked and that 
visits a clear node infinitely often. Also, since {q,Z) is reachable in ZG^^{A), 
{q, Z, X) is reachable in the guessing zone graph. Then (g, Z, 0) is reachable 
from (g, Z. X) with a r transition. From [9] and from the fact that Extra i,;/ and 
Extra are sound and complete [2] we get a non-Zeno run of A. 

Notice that it is sufficient to simulate A'' x (|X| + 1) transitions since we can 
avoid visiting a node (g', Z',Y') twice in tt. □ 

The abstraction Extra i,;/ does not weakly preserve order in zones due to rele- 
vant clocks with L{x) = —oo and U{x) > 0. We show that this is the only reason 
for NP-hardness. We slightly modify Extra n/ to get an abstraction Extra-^^ that 
is coarser than ExtraM, but it still weakly preserves orders. 

Definition 4 (Weak L bounds). Let A be a timed automaton. Given the 

bounds L (.'£') and U{x) for every clock x S X , the weak lower bound L is given 
by: L{x) = if x € Rl{A), L{x) = —oo and U{x) > 0, and L(x) = L{x) 
otherwise. 

We denote Extra;^^ the Extraiy abstraction obtained by choosing L instead 
of L. Notice that Extra;^jj and Extra i,;/ coincide when zero-checks are written 
a; = instead of a; < in the automaton. By definition of Extra i,;/, we get the 
following. 

Lemma 4. The abstraction Extra;^;^! weakly preserves orders. 

Extra-j^^ coincides with Extra^j/ for a wide class of automata. For instance, 
when the automaton does not have a zero-check, Extra;^;^ is exactly Extras;/, 
and the existence of a non-Zeno run can be decided in polynomial time. 
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Fig. 2. for = (pi V V pa) A (-pi V p2 V pa) 



5 The Zenoness problem 

In this section we consider the Zenoness problem (ZP"): 

Given an automaton A and its abstract zone graph ZG'^{A), decide if 
A has a Zeno run. 

As in the case of non-Zenoness, this problem turns out to be NP-complete when 
the abstraction operator a is Extra j;,;/. We subsequently give the hardness proof 
by providing a reduction from 3SAT. 

5.1 Reducing 3SAT to ZP" with abstraction Extract/ 

Let P = {pi , . . . , } be a set of propositional variables. Let = Ci A • • • A C„ be 
a 3CNF formula with n clauses. Each clause Cm, m = 1, 2, . . . , n is a disjunction 
of three literals A™, A™ and A™. Wc construct in polynomial time an automaton 
A^ and its zone graph ZG^^{A^ ) such that A^ has a Zeno run iff </> is satisfiable, 
thus proving the NP-hardness. 

The automaton A^ has clocks {xijlFi, . . . jXkjXk} with Xi and Xi corre- 
sponding to the literals pi and ^pi respectively. We denote the clock associated 
to a literal A by d(A). The set of states of A^ is given by {90, 9i, • • • , 3fe} U 
{ro, ri, r2, . . . , r„} with g'o being the initial state. The transitions are as follows: 

{xi} {xi} 

— transitions qi-i — '-^ qi and Qi-i — ^ qi for i = 1, 2, . . . , k, 

— a transition qk ro with no guards and resets, 

— for each clause Cm there are three transitions rm-i ^'^'^^ rm where A = 

— a transition r„ —J- go with no guards and resets. This transition creates a 
cycle in A^. 

As an example, Figure 2 shows the automaton for the formula (pi V-ip2Vp3) A 
{-^Pi V P2 Vps). Clearly, the automaton A^ can be constructed from cj) in 0{n) 
time. It remains to show that ZG^^ {A^) can also be calculated in polynomial 
time from A^ and to show that (p is satisfiable iff A^ has a Zeno run. This is 
proved below. 

Lemma 5. A 3 CNF formula (p is satisfiable iff has a Zeno run. 
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The proof of Lemma 5 is given in Appendix C. We note that the size of the 
ZG^^{A) is the same as that of the automaton. 

Theorem 7. The zone graph ZG^^ {A^) is isomorphic to A^. The Zenoness 
problem is NP-complete for Extra i,;/ and Extra Jjj. 

Proof. By looking at the guards in the transitions, we get that for each clock 
X, L{x) = 1 and U{x) — — oo. The initial node of the zone graph ZG^^ (A^) is 
(gO) Extrai[/(Zo)) where Zq is the set of valuations given by {xi > 0) A {xi = 
xi = ■ ■ ■ = Xk = Xk)- By definition, since for each clock x, U{x) = —oo, we have 
ExtraLu{Zo) = K>oj the non-negative half-space. 

After resetting a clock a; in a transition from M^g, we get back to M^g. On 
taking a transition with a guard x >1 from M^g, we come to a zone ]R>q Aa; > 1. 
However, since U{x) = — oo, Extrai[/(R>g A x > 1) gives back R>o- It follows 
that ZG^^-'iAf) is isomorphic to Af. This extends to Extrajj^ by Theorem 1. 

NP-liardness then comes from Lemma 5. NP-membership is proved in Lemma 7. 

□ 

In the next section, we provide an algorithm for the zenoness problem ZP" 
and give conditions on abstraction a for the solution to be polynomial. 

5.2 Finding Zeno paths 

We say that a transition is lifting if it has a guard that implies a; > 1 for some 
clock X. The idea is to find if there exists a run of an automaton A in which every 

clock X that is reset infinitely often is lifted only finitely many times, ensuring 
that the run is Zeno. This amounts to checking if there exists a cycle in ZG{A) 

where every clock that is reset is not lifted. Observe that when {q, Z) {q' , Z') 
is a transition of ZG{A), then Z' entails that x > c. Therefore, if a node {q, Z) 
is part of a cycle in the required form, then in particular, all the clocks that are 
greater than 1 in Z should not be reset in the cycle. 

Based on the above intuition, our solution begins with computing the zone 
graph on-the-fly. At some node {q, Z) the algorithm non-deterministically guesses 
that this node is part of a cycle that yields a zeno run. This node transits to 
what we call the slow mode. In this mode, a reset of x in a transition is allowed 
from (q' , Z') only if Z' is consistent with x < 1. 

Before we define our construction formally, recall that we would be working 
with the abstract zone graph ZG'^{A) and not ZG{A). Therefore for our solution 
to work, the abstraction operator o should remember the fact that a clock has 
a value greater than 1. 

For an automaton A over the set of clocks X, let Lf(^) denote the set of 
clocks appear in a lifting transition of A. 

Definition 5 (Lift-safe abstractions). An abstraction operator a is called 
lift-safe if for every zone Z and for every clock x G Lf(^), if Z \= x > 1 then 
a{Z)\=x> 1. 
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We are now in a position to define our slow zone graph construction to decide 
if an automaton has a Zeno run. 

Definition 6 (Slow zone grapfi). Let A he a timed automaton over the set 
of clocks X . Let a be a lift-safe abstraction. The slow zone graph SZG'^{A) has 
nodes of the form {q, Z, I) where I = {free, slow}. The initial node is (qq, Zq, free) 

where {qo,Zo) is the initial node of ZG'^{A). For every transition {q,Z) 4>a 
{q',Z') in ZG°{A) with t = {q,g,R,q'), we have the following transitions in 
SZCiA): 

— a transition (g, free) 4>o (g', Z', free), 

— a transition (g, Z, slow) =l>a {q',Z', slow) if for all clocks x £ R, Z A g is 
consistent with x <1, 

A new letter T is introduced that adds transitions (5, Z, free) (q, Z,slow). 

A node of the form {q, Z, slow) is said to be a slow node. A path of SZG'^{A) 
is said to be slow if it has a suffix consisting entirely of slow nodes. The r- 
transitions take a node {q, Z) from the free mode to the slow mode. Note that 
the transitions of the slow mode are constrained further. Lemmas 13 and 14 in 
Appendix D show that there is a cycle in the SZG°{A) consisting entirely of 
slow nodes iff A has a Zeno run. 

The above two lemmas prove the correctness of the approach. From the 
definition of SZG'^{A) it follows clearly that for each node (g, Z) of the zone 
graph there arc two nodes in SZG'^{A): {q, Z, free) and {q, Z, slow). We thus get 
the following theorem. 

Theorem 8. Let a be a lift-safe abstraction. The automaton A has a Zeno 
run iff SZG°'{A) has an infinite slow path. The number of reachable nodes of 
SZG'^{A) is atmost twice the number of reachable nodes in ZG'^{A). 

We now turn our attention towards some of the abstractions existing in 
the literature. We observe that the classical Extrajvf is lift-safe and hence the 
Zenoness problem could be solved using the slow zone graph construction. How- 
ever, in accordance to the NP-hardness of the problem for Extraiy, we get that 
Extrai,!/ is not lift-safe. 

Lemma 6. The abstractions ExtraM, Extra are lift-safe. 

Proof. Observe that for every clock that is lifted, the bound M is at least 1. 
It is now straightforward from the definitions of ExtraM, Extra ^[^ that they are 
lift-safe. □ 

Lemma 7. The abstractions Extra lu and Extra are not lift-safe. The Zenoness 
problem for Extra i,;/ and Extra is in NP. 
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Proof. That Extra n/ and Extra are not lift-safe follows from the proof of 
Theorem 7. We show the NP-membership using a technique similar to the slow 
zone graph construction. Since Extra i,;/ is not lift-safe, the reachable zones in 
ZG^v {A) do not maintain the information about the clocks that have been 
lifted. Therefore, at some reachable zone (g, Z) we non-dctcrniinistically guess 
the set of clocks Y that are allowed to be lifted in the future and go to a node 
(g, Z, Y). From now on, there are transitions (g, Z, Y) 4>ii (</', Z' , Y) when: 

— {q, Z) 4c [q', Z') is a transition in ZG^^{A), 

— \ft contains a guard x > c with c > 1, then x ^Y , 

— \it resets a clock x, then x ^Y 

If a cycle is obtained that contains (g, Z, Y), then the clocks that are reset and 
lifted in this cycle are disjoint and hence A has a Zeno run. 

This shows that if A has a Zcno run we can non-deterministically choose 
a path of the above form and the length of this path is bounded by twice the 
number of zones in ZG^^{A) (which is our other input). This proves the NP- 
membership. □ 



5.3 Weakening the U bounds 

We saw in Lemma 7 that the extrapolation Extra^jj is not lift-safe. This is due 
to clocks X that are lifted but have U{x) — — oo. These are exactly the clocks x 
with L{x) > 1 and U{x) = — oc. We propose to weaken the U bounds so that 
the information about a clock being lifted is remembered in the abstracted zone. 

Definition 7 (Weak U bounds). Given the bounds L{x) and U{x) for each 
clock X & X, the weak upper bound U{x) is given by: U{x) = 1 if L{x) > 1 and 
U{x) = —oo, and U{x) = U{x) otherwise. 

Let Extra ^jj denote the Extract/ abstraction, but with U bound for each 
clock instead of U . This definition ensures that for all lifted clocks, that is, for 
all X G Lf(^), if a zone entails that x > \ then Extra^y-(Z) also entails that 
a; > 1. This is summarized by the following lemma, the proof of which follows 
by definitions. 

Lemma 8. For all zones Z, Extra is lift-safe. 

From Theorem 8, we get that the Zenoness problem is polynomial for Extra ^jj. 
However, there is a price to pay. Weakening the U bounds leads to zone graphs 
exponentially bigger in some cases. For example, for the automaton A^ that was 
used to prove the NP-completencss of the Zenoness problem with Extra if/, note 
that the zone graph ZG^^ (A^) obtained by applying Extra is exponentially 
bigger than ZG'^^{Af). This leads to a slow zone graph SZG^'^{Af) with size 
polynomial in ZG^^{A^). 
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6 Conclusion 

Wc have shown a surprising fact that the problem of deciding existence of Zeno or 
non-Zeno behaviours from abstract zone graphs depends heavily on the abstrac- 
tions, to the extent that the problem changes from being polynomial to becoming 
NP-complete as the abstractions get coarser. We have proved NP-compIeteness 
for the coarse abstractions Extra^;/ and Extra Jj/. In contrast, the fundamental 
notions of reachability and Biichi emptiness over abstract zone graphs have a 
mere linear complexity, independent of the abstraction. 

On the positive side, from our study on the conditions for an abstraction 
to give a polynomial solution, we see that a small modification of the LU- 
extrapolation works. We have defined two weaker abstractions: Extra-^j^^ for de- 
tecting non-Zeno runs and Extra ^jj for detecting Zeno runs. The weak bounds L 
and U can also be used with Extra to achieve similar results. Despite leading 
to a polynomial solution for checking Zeno or non-Zeno behaviours from abstract 
zone graphs, these abstractions transfer the complexity to the input: they could 
lead to exponentially bigger abstract zone graphs themselves. 

While working with abstract zone graphs, coarse abstractions (and hence 
small abstract zone graphs) are essential to handle big models of timed au- 
tomata. These, as we have seen, work against the Zenoness questions. Our re- 
sults therefore provide a theoretical motivation to look for cheaper substitutes 
to the notion of Zenoness. 

Acknowledgements. We would like to thank Igor Walukicwicz for his in- 
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of the manuscript. We thank Laurent Pribourg for pointing us to the problem 
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A Proof of Lemma 1 



Lemma 9. Let <p be a satisfiable 3 CNF formula, then A^^ has a non-Zeno run 

Proof. Assume that ^ is satisfied by some variable assignment x- Let p be a 
sequence of transitions such that: 

— from each configuration {qi_i,u), with i £ [l;k], p instantiates the transition 

(li-i — '—^ Qi when xiP'i) — true and the transition Qi^i — '—^ otherwise; 

— from each configuration (r„i_i,i^) with m G P takes a transition 

cKAf )<o 

Tm-i > rm such that A™ evaluates to true with respect to x; 

— and p let 1 time unit elapse from each configuration with state r„. 

Now, we prove that p is a run of A^^ . We need to prove that zero-checked 
transitions can be crossed despite elapsing 1 time unit. Recall that every infinite 
run visits infinitely often a configuration with state r„. Consider two successive 
configurations on p with state r„. 

• • • (r„, v)^ — )■ ■ ■ ■ (r„_i, )■ {rm, v ) ■ ■ ■ ir„, u') ^ ■ ■ ■ 

By definition of p, A™ is a literal that evaluates to true according to x- Hence, 

the clock cl{\"'') is reset before being zero-checked and v" {cl{X^)) = 0. As a 
consequence, the run p exists. Furthermore, it is non-Zeno as 1 time unit elapses 
infinitely often. □ 

Lemma 10. A 3 CNF formula is satisfiable if A^^ has a non-Zeno run 

Proof. Consider a non-Zeno run p of A^^ . Since p is non-Zeno, time elapses on 
infinitely many transitions in the run. Every infinite runs of A^^ visits infinitely 
often a configuration with state r„. Consider two consecutive configurations on p 
such that time elapses on some transition on the segment from (r„, v) to (r„, v"). 

■ ■ ■ (r-„, ly) ^ ■■■ {qk,y') ■ ■ ■ (r„_i, '''^^^ ^~°> (r„, i/") > {r„, u") ■ ■ ■ 

By construction, for each i G [1; fc] either Xi or Xi is reset on the segment from 
(r„,i^) to {qk,v'). Let x be the variable assignment that associates true to pi 
when Xi is reset, and false otherwise, that is when xl is reset. We prove that x 
satisfies 4>. 

c/(A™)<0 

Consider the transition {rm-i,!^") > (rm,v"). It must be the case 

that v"{cl{\J')) = 0. Notice that time cannot elapse from {qk,v') to (r„, v") be- 
cause of zero-checks. Hence, time elapse can occur between (r„,i/) and 
Thus the clock cl{\J^) must be reset before reaching (rm-i, v"). Thus, x{^^) = 
true, hence Cm also evaluates to true. This holds for all the clauses. As a con- 
sequence, (j) is satisfied by x- n 
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B Proof of Theorem 5 

Lemma 11. If A has a non-Zeno run, then in rGZG'^{A) there is an unblocked 
path visiting a clear node infinitely often. 

Proof. Let p be a non-Zeno run of A: 

(gcz^o) > > ■■■ 

Since o is complete, p is an instantiation of a path tt in ZG°{A): 

(go, Zo) (qi, Zi) ^0 ■ • ■ 
Let a be the following sequence of transitions: 

(50, Zo, Yo) (go, Zo, Fo') {qi,Zi, Y,) («1, ^i, Yl) 4a • • • 

where Yq ~ Rl{A), Yi is determined by the transition relation in rGZG'^{A), 
and Yl = Yi unless (5j > when we put Yl = We need to see that a 
is indeed a path in rGZG'^{A). For this we need to see that every transition 
(gi, Zi, Yl) (qi+i, Zi+i,Yj+i) is realizable from a valuation v £ Zi such that 
both v N {Rl{A) — F/) > and i' N gi where gi is the guard of <i. We prove this 
by an induction on the run. As by the definition of p, Vi + 6i \= gi for all i > 0, 
we only need to prove that Ui + Si \= (Rl(.4) — Yl) > 0. This is clearly true for 
valuation vq + So G Zq. 

Assume that Vi + Si \= (Rl(^) — F/) > 0. We now prove that m^+i + 5^+1 N 
(Rl(^) - r/+i) > 0. Firstly, observe that Y,+i = (F/ U R^) H Co{Z,+i) n R1(.A). 
Therefore a clock x € Rl(^) — l^+i either belongs to Rl(.4) — F/ in which case it 
is greater than by induction hypothesis, or otherwise we have x € F/ but x ^ 
Co{Zi^i). By the definition oi ColZi^i), all valuations v e ^i+i satisfy I'ix) > 
and so in particular, i^,;+i(.-e) > 0. This leads to i^j+i t= (Rl(^) — Fj+i) > which 
easily extends to Vi+i + Si+i \= (Rl(^) — F/_^^) > 0. 

Since p is non-Zeno there are infinitely many i with 1^' = 0. It is also straight- 
forward to check that a' is unblocked. □ 

Lemma 12. Suppose rGZG°{A) has an unblocked path visiting infinitely often 

a clear node then A has a non-Zeno run. 

Proof. The proof follows the same lines as the proof of Lemma 6 in [9] with 
the additional information that for all clocks x that do not belong to Rl(.4), we 
have g A [x > 0) consistent for all guards g. We recall the proof, with this slight 
change incorporated. 

Let TT : (go, Zo, Yo) ^ ... be the unblocked path of rGZG°{A) that visit a 

clear node infinitely often. Since o is sound, take an instantiation p: (go, z^o) ^°'*°> 
... of yl. If /9 is non-Zeno, we are done. 

Suppose p is Zeno, there exists an index m such that all clocks Vn{x) < 1/2 
for all X G and for all n> m. Take indices i,j>m such that Yi = Yj = ^ and 
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all clocks in are reset between i and j. We look at the sequence (gj, Vi) '^"*'> 
. . . {qj^fj) and claim that every sequence of the form 

(ft, Vi) > (ft+i, z^i+i) > ■ ■ ■ z^j) 

is a part of a run of A provided there is C G ]R>o such that the following three 
conditions hold for all fc = i, .... j: 

1. = + C + 1/2 for all x ^ X\ 

2. ^'^(.t) = + 1/2 if a; € X'^ and a; has not been reset between i and k. 

3. J^fc(.i ) = V}.{x) otherwise, i.e., when x e X'^ and a; has been reset between i 
and k. 

It is easy to see that the run obtained by replacing every such i — j interval 
of p by the above sequence gives a non-Zeno run, since a 1/2 time unit has been 
elapsed infinitely often. 

We now show that the above is indeed a valid run of A. For this we need to 
first show that v'^ + 5^ satisfies the guard in t^. Let g be the guard. 

For X ^ Jf", from the assumption that p is unblocked, we know that g could 
only be of the form x > c or a; > c. So v'^Jyx) clearly satisfies g. If x G X"^ and is 
reset between i and fc, v'^.(x) = Vkix) and so we are done. Consider the case when 
X G X'^ and is not reset between i and k. Observe that x ^ Yfc. This is because 
Yi = 0, and then only variables that are reset are added to Y. Since x is not reset 
between i and k, it cannot be in Y^. By definition of transitions in rGZG'^{A), 
if X e Rl(^) this means that 5 A (x > 0) is consistent. But for x ^ Rl(^) by 
definition, 17 A (x > 0) is consistent. We have that < (vk + Sk){x) < 1/2 and 
1/2 < (t'fc + ^fc)(a;) < 1. So + 5fe satisfies all the constraints in g concerning x 
as Vk + Sk does. 

It can also be seen that the valuation obtained from u'^. by resetting the clocks 
in transition tk is the valuation i''k_^_i- □ 



C Proof of Lemma 5 



Proof. For the left-to-right direction, suppose that (j) is satisfiable. Then there 
exists a variable assignment % : P i-> {true, false} that evaluates ^ to true. We 
now build the Zeno run of A^ using x- 

Pick an infinite run p of A^. Clearly, it should have the following sequence 
of states repeated infinitely often: 

qo^ ...qk^ro^n^ ...rn (1) 
We choose the transitions for p that allow time elapse only by a finite amount. 

If xiPi) — true, then we put qi-i > qt wherever qi^i — > qi occurs in p. 

Otherwise x{Pi) = false and we put qi-i > qi. We now need to choose the 

transitions Vm-i — >■ fm for m = l,...,n. Since X is a satisfying assignment. 
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every clause Cm has a literal A that evaluates to true with %. We choose the 

corresponding transition Tm-i '^'^'^^~^> Tm- Observe that if A evaluates to true, 
it implies that d(A) was reset in one of the Qi q'j+i transitions but not d(A). 

Therefore, the above construction yields a sequence of transitions with the 
property that all clocks that are reset are never checked for greater than 1. This 
sequence can be taken by elapsing 1 time unit in the very first state, and then 
subsequently elapsing no time at all, thus giving a Zeno run in A^. 

We now prove the right-to-left direction. Let p be an infinite Zeno run of 
A^. An infinite run should repeat the sequence of states given in (1). Since p 
is Zeno, it has a suffix p^ such that for every clock x that is reset in p*, a: > 1 
never occurs in the transitions of . This is because if every suffix of p contains 
a clock that is both reset and checked for greater than 1, this would mean that 
there is a time elapse of one time unit occurring infinitely often, contradicting 
the hypothesis that p is Zeno. 

Consider a segment S = Qq ^ . . .qn ^ ^ ri ^ . . .Vk va. p'^ . We construct 
a satisfying assignment x : P {true, false} for (j) from S. 

— if S contains Qi-i > qi then set x{Pi) = 

— otherwise, it implies that S contains qi-i > in which case we set 

x{Pt) = false. 

This shows that for a literal A, if d(A) is reset in S, then x(A) = true. From the 
property of p^ that no clock that is reset is checked in a guard, for every transition 

rm-i '^~^> rm in S, it is clock c/(A) that is reset and hence xW = true. By 
construction of A^, A is a literal in Cm- Therefore, we get a literal that is true 
in every clause evaluating (j) to true. □ 

D Proof of Theorem 8 

Lemma 13. If A has a Zeno run, then there exists an infinite slow path in 
SZCiA). 

Proof. Let p be a Zeno run of A: 

I \ iSoiTo , N (5i,ti 

(«o, yes) > {qi,yi) >■ ■ ■ ■ 

Let n be its concretization in ZG'^{A): 

{qo,Zo) {qi,Zi) ■■■ 

We construct an infinite slow path in SZG'^{A) from the path tt. Let be 

the set of clocks that are lifted infinitely often in tt and let X"^ be the set of 
clocks that are reset infinitely often in n. Let tt* denote the suffix of n starting 
from the position i. 
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Clearly, there exists an index m such that all the clocks that are lifted in tt™ 
belong to and the ones that are reset in tt™ belong to X^. Since p is Zeno, 
we have n = 0. This shows that all the clocks that are reset in are 
never lifted in its transitions. Therefore, there exists an index k > m such that 
for all j > k, Zj is consistent with x < 1 for all clocks x G X^ and we get the 
following path of SZG°{A): 

(go, ^0, free) ■ ■ ■ {qj, Zj,bee) {qj,Zj, slow) {qj+i, Zj+i,slow) %\ ... 

a 

Lemma 14. If SZG°-{A) has an infinite slow path, then A has a Zeno run. 
Proof. Let tt be the slow path of SZC'iA): 

{qo, Zo, free) U-a . . . {qj,Zj,bee) {qj,Zj, slow) U>a {qj+i, Zj+i,slow) . . . 

Take the corresponding path in ZG"-{A) and an instance p = {qo,yo) '^°'*°> 
{qi,vi) . . . which is a run of A, as we have assumed that a is a sound abstraction. 

Let X"^ be the set of clocks that are reset infinitely often and let be the 
set of clocks that are lifted infinitely often in p. By the semantics of the slow 
mode and from our hypothesis of a being lift-safe, after the index j, all clocks 
that are lifted once can never be reset again. Therefore, there exists an index 
k> j such that the following hold: 

— all clocks that are reset in p'^ belong to X^ and all clocks that are lifted in 
a transition of p*^ belong to X', 

— for all X & X^ and for all i > k, Vi{x) > c where c is the maximum constant 
appearing in a lifting transition of p'^. 

We now modify the time delays of p'' to construct a run that elapses a 
bounded amount of time. Pick the sequence of indices ii, 12, ■ ■ ■ in p'' such that 
^im. > 0' for all m e N. Define the new delays ^ ■ for all i > k as follows: 

^, I min{Si, ^) if i = ij for some j 
* 1 otherwise 

Consider the run p' obtained by elapsing 5- time units after the index k: 

(go, vq) > . . . > {qk, Vk) > (9fe+i, i^fe+i) > ■ ■ ■ 

Clearly, p' is Zeno. It remains to prove that p' is a run of A. Denote Vk by v'f.. 

We need to show that for all i > fc, v[ + 5[ satisfies the guard in the transition 
ti. Call this guard Clearly, since f ■ +5[ < 1^1 + 6i by definition, if gi is of form 
X < COT X < c then it is satisfied by the new valuation. Let us now consider the 
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case when gi is of the form x > c or x > c. li c > 1, then we know that a; € 
from the assumption on k. But since I'kix) > c and x is not reset anywhere in 
p'', v'iix) > c for all i and hence the new valuation satisfies g^. We are left with 
the case when gi is of the form a; > 0. However this follows since by definition 
of the new + = iff + = 0. □ 



